Script Valley
HTTP & The Web: How It Actually Works
Web Security Essentials/Assessment

Practice & Assessment

Test your understanding of Web Security Essentials

Multiple Choice Questions

6
1

A user inputs the text <script>alert(1)</script> into a profile name field. The app stores it and later renders it using element.innerHTML = name. What attack has occurred and what is the fix?

2

Why must state-changing API endpoints (e.g., transfers, deletions) use POST/PUT/DELETE and never GET?

3

A login endpoint concatenates user-supplied email into a SQL query. An attacker sends the email: admin@example.com'--. What does this do?

4

Which cookie attribute prevents JavaScript from reading the cookie value, protecting session tokens from XSS attacks?

5

The header X-Content-Type-Options: nosniff is set on all responses. What attack does this prevent?

6

A cookie is set with SameSite=None but without the Secure attribute. What happens in modern browsers?

Coding Challenges

1
1

Security Header Auditor

Write a script that accepts a list of URLs and checks each one for the presence and correctness of key security response headers: Strict-Transport-Security (check max-age >= 31536000), Content-Security-Policy (present or not), X-Content-Type-Options (must be 'nosniff'), X-Frame-Options (must be DENY or SAMEORIGIN), Referrer-Policy (present or not). For each URL, output a table with a PASS/FAIL/MISSING status per header and a final security score out of 5. Estimated time: 20–25 minutes.

Easy

Mini Project

1

Secure Notes API

Build a small notes API with proper security hardening end to end. Implement: (1) POST /auth/register and POST /auth/login using parameterized SQL queries (SQLite is fine) — never concatenate user input into queries; (2) JWT-based authentication with HttpOnly, Secure, SameSite=Strict cookie storage of the token (do not use localStorage); (3) GET /notes and POST /notes endpoints protected by JWT; (4) all responses must include: Strict-Transport-Security, X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Content-Security-Policy: default-src 'self', and Referrer-Policy: strict-origin-when-cross-origin; (5) CORS configured for a specific frontend origin only; (6) rate limiting on /auth/login to 5 attempts per minute per IP. Demonstrate both a working legitimate flow and a rejected SQL injection attempt in a README.

Hard